Professionalisation in IT and public safety

A recent article entitled

Nobody should have to die because we didn’t apply a security patch…

was published on Kable, written by David Evans, director of policy and community for BCS, The Chartered Institute for IT.

I will let the article title pass as click bait, it may have been a editorial decision, but the thrust of the article is that peoples lives were placed at risk in the UK due to the recent WannaCrypt ransomware events affecting NHS institutions and many others around the world, and that ICT professionals are the point of failure.

The point that care shouldn't be affected by Cyber attacks that we have good solid published patches for is a reasonable one. However to paint a picture that this is a professional failure on the part of ICT staff and that it shows that ICT workers need to exercise the same sort of professional control over system as healthcare professional exercise in delivering care to patients is to my mind a very long bow. to quote part of the article:

So what’s the answer? Well, we need a visible, recognised cadre of accountable professionals working in IT (or informatics as they call it) in the NHS, and we need a visible, cadre of accountable professionals working in information security across the public and private sectors. Both having a cross-over, of course. We need those professionals to be self-governing, public-focused, but accountable individually and collectively to the public they serve. That’s why we have professional bodies, and this is the function that is performed by the General Medical Council, Royal College of Physicians and so on for doctors. For IT and security we have bodies like BCS, the IET, and a number of others. We have the structures, but until now it hasn’t been clear to the public and public institutions why this is so important.

The rest of the article further enforces that ICT needs to stand up as a profession. Now this is all laudable and it is a drum that BCS has long been banging and yes it is a factor, but is it a root cause or currently even a major determinant.

Do we know how to build secure systems as a industry - the answer is a qualified yes - no security system is perfect and well financed adversaries are a formidable threat that is very difficult to mitigate. 

So if we know how to do it why are systems like those in healthcare not as well protected as we know how? The answer to that is - Security is a complex organisational responsibility. It involves a complex risk management estimation across our old friends Confidentiality, Integrity and Availability. These estimations normally need to be made at the senior executive level in an organisation as the costs are so high, not just in technology or tools which often are not that big a component but in things like: 

• Effort involved to stay on top of patches and security issues
• Loss of availability of systems during patching and possible disruption due to unexpected "features" in the patch 
• Willingness to upgrade systems regularly and deal with impacts on legacy systems 
• Expending the time on staff training in security and updated systems
• Ensuring that there are adequate Disaster Recovery capabilities to deal with attacks that do cause harm
• Building environments with suitable micro-segmentation and functional limits to protect key information assets
• Developing the extensive situational awareness of normal state so we can quickly detect threat vectors active in environments
• and many others

Now the antipodes are far from the UK and maybe it is different but as a Health Informatician and then as a IT practitioner in more security conscious organisations I have found that the security posture is rarely set by the IT staff or indeed even the CIO or CISO. Security Posture is lead and promulgated by boards and senior leadership. 

The things that make people sit up and take IT security seriously as an organisation are things like: 

• Legislation like HIPPA or 
• Standards to provide financial protection like PCI that must be met to enable you to trade i.e. a very strong financial incentive
• Government mandated protections like Australia Protective Security Policy Framework

There has to be a reason for organisations to act and even then as Target's breach many others show it is still possible to fail to take advice and act without due care despite appearing to be compliant with standards and regulation.

IT security is hard and it only happens to the level the organisation wants to support and at the level and risk and cost the organisations leadership is prepared to bear. ICT professionals need to understand the domain and work with ICT Security specialists to ensure leadership are properly briefed and informed and strategies are implemented according to leadership directive.

However the management of that risk is like any other business risk - it is the responsibility of the organisations leadership not the ICT staff, as ICT staff do not have a prescribing pad or the ability to write treatment plans that then a massive organisation like the NHS will then strive mightily to follow. We don't have that sort of authority in organisations and I am not convinced we should. 

Even in health care individual practitioners do not decide how they wish to deal with Infection Control, that is determined by expert committees and senior leadership according to evidence based practise and risk calculations and then promulgated as hard "must do" policy. If health care institutions dealt with ICT Security as they do Infection Control and sanitation then I think the risk profile that WannaCrypt had to exploit would have been greatly different.

I agree with David that ICT professionals need to be just that professional, accountable and willing to speak truth to power - but the power has to be willing to listen.

Situational Awareness and System Administration

Introductory Rant

It is sometimes hard to remember that much of what we see in ICT is  a re-interpretation or re-building of what we have done before. There is little in our modern landscape that was not done by the trailblazers in Mainframe, Mini and Unix domains. Whilst technology advances and Moore's Law makes us so mighty compared to what has gone before it is still interesting how much is a re-purposing.

There are still of course fundamental breakthroughs in Information Science and I would suggest some items:

• The building of scalable Map/Reduce approaches using parallelism to deal with massive Key/Value Pair Sets.
• The use of Graph Math to build Graph DBs and systems
• The addition of Polymorphism to the basic Sequence, Selection, Repetition and Recursion of Algorithm design
• The WIMPS GUI concepts that came spectacularly to life at XEROX PARC

These are serious advances in our basic approach to information.

We are now deep into the rebirth of the coder as System Administrator - with DevOPS approaches vastly improving how we scale, orchestration is king and many of the culture wars of the day around these approaches and the related Containerization and MicroServices are being hailed as a REVOLUTION.

Now these approaches do make us mighty but a revolution - that is just unmitigated poo!

• Scripting - every major OS post Babbage
• Cattle vs Pets - HPC folks must be on their fifth T-Shirt with that on it.
• Cloud - Bureau with Moore's Law and Internet on its side
• MicroServices - Go read Juliff on Structured Systems - Grrrr

What we are seeing is a Evolutionary change not a revolutionary one that doesn't make it less valuable or less startling in what folks are achieving. Google, Amazon, Azure and all the fellow travellers are causing us to rethink the enterprises strategic approach to ICT and that change is tectonic - it is as vast and uncharted as the PC revolution.

Its the strategy that changing and its leading us places in terms of building consumable things enterprises and individuals want in all sorts new ways, that's the step change not the technology or the rediscovery of command line and coding in system Administration.

Problem Statement

In all of this I see an interesting break point that I don't think is being adequately thought through - we are now coalescing so much capability, Voice, data, geolocation and goodness knows what else, that the systems have long since become the business. Despite this our ability to be able understand the state of these systems of systems is normally marginal to say the least.

Most Sys Admin teams would have seen their most senior Network folks struggle over multiple consoles and endless cryptic commands and logfiles to try to figure out why the network has decided to do a strange thing. It is painful to watch hugely clever people trying to correlate and understand so many disparate information flows to eventually get to the proof that "Its actually a server problem" :-)

VALE Edward Gough Whitlam - A gentle giant lost to us.

There are few people who took as much care of the Australian people and Nation:
He was:

• A Classical Intellectual
• A Navigator in the RAAF in World War II
• A family man
• One of our greatest politicians  in company of Parkes, Chifley and Curtin

Gough gave us:

• Sewers in our great cities
• The beginning of Indigenous land rights
• Free University Education
• Regional Development
• Universal health care
• Bringing Australia to the door of Asia and giving us a respectful relationship with China

We are diminished at his passing - but let us celebrate a life that brought such humanity and grace to our Wide Brown Land

MetaData storage and a more reasonable explanation

Well we seem to have been offered a more reasoned explanation of what the security services are after from David Irvine and Andrew Colvin of AFP. Their argument seems to be that they want to be able to do Traffic Analysis.

Now this seems reasonable and their argument as to wanting a consistent set of storage across various communication mediums makes sense. So we face what seems to be a reasonable request from the Intelligence Community and I wouldn't seek to deny them this.

However there is a lot more in the MetaData stores that they could use for other purposes such as reconstructing browsing histories and also just as a way to troll through stuff via traffic type analysis. I think that they need to offer a clear way that can be publicly shown that they are only using this way. David I. mentioned the Inspector General but this is another part of the community that does not openly engage - there must be a middle ground - why not have a group of cleared folks from community who act as reviewers and report to community.

Something like the ABC Community Advisory board - with hard term limit of say 4 years. 


TRUST BUT VERIFY

Update:

Interesting article on how it just keeps going wrong with these things

Envelopes MetaData, Intelligence and amazingly incompetent Pollies

So harvesting IP metadata and other such from every Internet communication in the country is the equivalent of what we have always done with reading envelopes. Now let us not take that at face value for otherwise the government is declaring that since the Act of Federation in 1901 the Post Master General's Department and it's successor has captured and indexed in usable manner the destination address and sender of every piece of mail in the last 114 years.

Now this seems somewhat unlikely so basically this assertion is a untruth.

Also let us look at the differences between snail mail and TCP/IP style communications.

Snail Mail attributes

• Address is a physical location and not necessarily any individual
• There is no requirement to provide sender details
• Mail is not guaranteed delivery
• Receipt and tracking are rare and extraordinary services
• A plain enveloped letter reveals minimal additional "metadata" about the contents of the letter or volume of data contained
• Point of sending can be anywhere and not related to location of sender
• Sending time and date can not be reliably known other than postmark times at sorting centres - a post box has no memory of who did what when
• There are normally no records of any kind kept by the delivery service
• Letters can be transported by other mechanisms completely isolated from postal system - e.g. couriers

TCP/IP Comms over the Interweb

• Packets are typed by protocol etc - declaring significant data about content-  I am Email or web etc
• Volume of traffic indicates level of activity and volumes of information moving between participants
• Traffic endpoints for both sender and delivery are carefully defined - and traffic can be recorded at many points on journey with great accuracy - unless specific obfuscation measures are taken
• Many traffic types have significant error detection and guarantee reliability
• This type of Metadata is a rich source for retrospective mapping of networks of activity and individuals - it is machine readable and easily stored and indexed and searched - thus the value to Intelligence community

Thus we can see this is a whole new level of surveillance and as such something that could have great value but also can be a very large invasion of privacy and subject to abuse.

It is easy to see why Mr Irvine and his peers see value in such a data store but it will not be cheap and it will be funded by those being monitored. Yet to date no one has presented any hard evidence on value and what the "business case" for this new collection is.

The standard excuse that explaining the use case and the number of times the capability is used is showing secrets is spurious - everyone knows what the capability is - it should be easy to show what the value is in terms of cases, lives and dollars - personally I feel the case is probably pretty nebulous.

The Australian people have the right to TRUST BUT VERIFY

Airplanes, loss, blood and treasure

There seems to be something about the loss of an airliner full of Westerners that gets folks all worked up. The shoot down of MH-17 is a awful piece of a sad and largely pointless civil war, the loss of life is tragic. But the loss of the Air Algerie aircraft creates barely a ripple is it less tragic.

The grieving of friends and relatives deserves our respect and support - and we should ensure the bodies of folks lost are repatriated with respect and dignity. We should also do what we can to support Malaysia and Ukraine as they investigate.

Posturing about the rights and wrongs of a civil war and the foolishness of players in this does nothing to resolve the dilemma, This is being used as a distraction by politicians - focus on the issue with the pictures and grief ignore everything else. Treating our lost civilians as if they are fallen soldiers just feels cheap and tacky.

Australia sat on the side lines for a year whilst Ukraine writhed in Civil War and Russian bullying - we tragically lose 39 people and suddenly we want a seat at the high table and our Governor General is at ramp ceremonies.

A sad event and the grief of many affected folks is being turned into a public spectacle - whilst everyday endless suffering in Australia and elsewhere is ignored. This is a boondoggle.

Asylum seekers - we should offer Asylum

Australia is a Polyglot nation with many wonderful attributes

Australia is my nation and my home

However we have a long and tawdry history of racism and Xenophobia and the behaviour we as a nation state are allowing our politicians to display around "Boat People" is deeply unjust.

Any asylum seeker seeking our protection should be offered it in a generous and concerned spirit - if we find the individual is a risk or a concern then we have open judicial and policing methods enough to deal with them and preserve public safety.

The Immigration Star Chambers and creation of a Border Protection Force that are not answerable to normal police methods and the judiciary is unsafe - it places good governance and thus the nation state at risk.

Our major Political Parties show themselves to be callow power hungry ciphers for the worst of our populace's prejudices.

We are shamed